Comparing tunneling options – Cisco ASA 5505 User Manual

71-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 71 Configuring Easy VPN Services on the ASA 5505

Comparing Tunneling Options

If you configure an ASA 5505 to use TCP-encapsulated IPsec, enter the following command to let it send
large packets over the outside interface:

hostname(config)# crypto ipsec df-bit clear-df outside

hostname(config)#

This command clears the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within
the IP header that determines whether the packet can be fragmented. This command lets the Easy VPN
hardware client send packets that are larger than the MTU size.

The following example shows how to configure the Easy VPN hardware client to use TCP-encapsulated
IPsec, using the default port 10000, and to let it send large packets over the outside interface:

hostname(config)# vpnclient ipsec-over-tcp

hostname(config)# crypto ipsec df-bit clear-df outside

hostname(config)#

The next example shows how to configure the Easy VPN hardware client to use TCP-encapsulated IPsec,
using the port 10501, and to let it send large packets over the outside interface:

hostname(config)# vpnclient ipsec-over-tcp port 10501

hostname(config)# crypto ipsec df-bit clear-df outside

hostname(config)#

To remove the attribute from the running configuration, use the no form of this command, as follows:

no vpnclient ipsec-over-tcp

For example:

hostname(config)# no vpnclient ipsec-over-tcp

hostname(config)#

Comparing Tunneling Options

The tunnel types the Cisco ASA 5505 configured as an Easy VPN hardware client sets up depends on a
combination of the following factors:

•

Use of the split-tunnel-network-list and the split-tunnel-policy commands on the headend to
permit, restrict, or prohibit split tunneling. (See the

Creating a Network List for Split-Tunneling,

page 67-50

and

“Setting the Split-Tunneling Policy” section on page 67-50

, respectively.)

Split tunneling determines the networks for which the remote-access client encrypts and sends data
through the secured VPN tunnel, and determines which traffic it sends to the Internet in the clear.

•

Use of the

vpnclient management

command to specify one of the following automatic tunnel

initiation options:

–

tunnel to limit administrative access to the client side by specific hosts or networks on the
corporate side and use IPsec to add a layer of encryption to the management sessions over the
HTTPS or SSH encryption that is already present.

–

clear to permit administrative access using the HTTPS or SSH encryption used by the
management session.

–

no to prohibit management access